Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Compromises Oregon Taxpayers

Posted by ryuzaki0 on from the but-the-internet-is-for-porn dept.

Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."

19 of 250 comments (clear)

  1. Only 2000 people paying tax in Oregon? by jd · · Score: 4, Funny

    No wonder my taxes this year were so high. Hey, guys, I can't pay for Trimet on my own!

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. Re:Cliché by tomhudson · · Score: 4, Funny

    Hey, maybe I can get government funding for creating an approved porn list of sites that government employees can surf without getting a drive-by smack ...

    .. or at least a research grant from the Department of Homeland Security ... after all, if we don't have safe pr0n, the terr'rists have won!

  3. moron! by eobanb · · Score: 5, Insightful

    Forgive my crudeness, but...what an idiot!

    Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software, lax rules on conduct...I don't know where to even begin.

    --

    Take off every sig. For great justice.

    1. Re:moron! by Anonymous Coward · · Score: 5, Informative

      We should list the failures. Otherwise we don't learn anything. Since events like this are occurring all over the place, there is obviously an issue with government security controls. I'll start:

      1. Allowing private data to be stored on a workstation that has access to the Internet.
      2. Failure to encrypt private data or a private key (presumably) when the computer is connected to the Internet.
      3. Allowing a user who has access to private data to access sites that do not have anything to do with official duties.
      4. Failure to log data packets sent on a secure computer (not every packet, but at least the bytes sent).

      All of these have the same root cause: the government and government employees did not consider the private data in their custody important enough to require rigorous controls and rigorous controls were not implemented. We could break down the problems into training issues, operational issues, etc., and politicians certainly will. But I would guess that the issue was due to a lack of political motivation to hold accountable every state IT group that has access to private data. Secure networks with access to classified or private information can be built, like the SIPRNET, but people didn't think the private data was important enough. It will change in Oregon (at least for the Dept. of Revenue) due to this incident, but elsewhere in the country people will carry on business as usual, until it affects them.

      Anyone want to guess how long it takes before Social Security numbers become worthless because of these data intrusions? We know the government isn't going to learn.

    2. Re:moron! by Anonymous Coward · · Score: 4, Informative

      I work for a school district in California and as part of my duties I am responsible for the content filter (squid children+dansguardian+squid parent peers) and I parse the content to sarg logs with a few custom reports. One of those reports is between the hours of 3-5pm and on

      I can tell you, the majority of web usage during the hours where students are not present (90%+ of bandwidth utilization yearly, nearly 100% during Late Nov/all Dec) is personal shopping. Sure, there is a good deal of sports and a spattering of news sites as well. But the people your tax dollars pay to be doing work, are spending your tax dollars and getting paid to do it.

      Individuals who get caught have their internet disabled and *might* be written up. Being written up in government means you might be able to have it used against you if you: a) sexually harass someone, or b) come to work drunk/stoned. As far as penalties in government work, umm... there aren't really any. I do have to pay state income tax (with no other income source than the state) of course there are lots of other inefficiencies, rampant graft, overly complex beurocratic heirarchies and completely complacent unions but such are the benefits of socialism.

    3. Re:moron! by Anonymous Coward · · Score: 5, Informative

      Why do you assume there was no web filtering software?
      There was. Major player in the industry, updated every day.
      Virus software on the desktops set to update ever 2 hours.
      This was a zero day exploit from a non-obvious, not yet blocked web site.
      It reported back only via port 80.
      The trojan wasn't picked up by virus protection until after we reported it, which was after we discovered it.
      He might have been an idiot, but not a dumb one.
      As for rules on conduct, suprisingly, browsing porn is actually against the rules.
      You have to sign an Internet Use agreement before you can use the Internet.
      Windows? Well, we have no choice there.
      There were some things that the tech staff has asked for that we now are likely to change, but the tech stuff is much better than I've seen in the other agencies.

  4. Indicitive of a larger problem by mcpkaaos · · Score: 5, Insightful

    What was real data doing on a workstation with Internet access in the first place? One would think (hope?) that such data would be under heavy lock and key and only accessible by the software written to manage it or, when absolutely necessary, a trusted administrator with lotsa logging.

    It is absolutely amazing to me that this event was even possible.

    --
    It goes from God, to Jerry, to me.
    1. Re:Indicitive of a larger problem by KnowledgeFreak · · Score: 5, Informative

      Mod this guy up, he knows what he's talking about. I work with Data in the private sector and data like this cannot be on an unprotected machine.

      What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).

      The reporting monkeys take *that* home. No one actaully gets to see the data. This is exactly what part of sarbanes oxley is forcing the private sector to do with customer credit card data and other sensitive info.

    2. Re:Indicitive of a larger problem by TheViewFromTheGround · · Score: 4, Insightful
      It is absolutely amazing to me that this event was even possible.

      Actually, it isn't that amazing at all. I'm wrapping up a sysadmin gig in the nonprofit world (and moving back to strictly commercial work) right now. Specifically, I'm in legal services, where the IT talent is very thin but some of the privacy and security needs are pretty serious. I can tell you, I know of three legal services organizations or programs in the US that practice anything resembling defense-in-depth. That's why a lot of recent attacks (like the rise of "spear-phishing") use social engineering to get in. Because once you're inside the walls, so to speak, far too many networks are open season that really shouldn't be.

      If you're throwing around passwords in the clear or unecrypted files or have network shares with sensitive information and broad access on the local network, the risk is there because there's always a door to the inside in our pervasive-Internet world. In many cases, that door is through human nature/sociological probability/whatever you want to call it.

      A sysadmin must absolutely assume that there will be a user that is going to pull this kind of stupid crap, and design their defenses around it. But, speaking from experience, go to a big ol' local nonprofit that has lots of sensitive client information and start grilling the sysadmins about defense-in-depth and see what they say. You think they're monitoring all local network segments for malicious traffic with Snort? Encrypting local traffic and keeping a tight lock on any shared resources? Have a containment strategy if they detect an intrusion? Have clear and enforceable policies with respect to data retention or user activity? You'll definitely find folks are running Symantec Enterprise and have a badass firewall, etc, and that's cool, but it just isn't enough.

      Shoot, this isn't local security, but nonetheless some major ASPs that handle donations for nonprofits provide the option of sending credit cards numbers in the clear. Sure, you're looking at a secure page, but some script is actually doing the real POST over straight http, and you never see it.

      Defense-in-depth is going to become more and more critical for everybody, especially small and medium sized businesses that have been marketed elaborate and powerful perimeter defenses and anti-virus companies have hawked products that day-by-day become increasingly irrelevant to the real security threats, which must rely on tightening local security measures and doing actual traffic analysis of the network itself, not just watching for compromises on the client, because those compromises are going to be harder and harder to detect as the compromises become more and more social in nature and frankly, only good for post-mortem analysis, after the catastrophe has already hit.

      A final thought: Elaine Scarry, a philosopher, is writing a book on the meaning of consent in a world where nuclear war is a possibility. I think one could ask some questions about the meaning of technological freedom in a world where a lot of greedy, malicious people are out to clobber any and all security weaknesses on computing machines that store and transmit incredibly sensitive information.

      --
      Online citizen journalism from the inner city: The View From The Ground
  5. From the I've-never-had-a-2,200-some-before dept. by NMerriam · · Score: 5, Funny

    Though on the bright side, porn site customers finally have a way to get screwed over the internet!

    --
    Recursive: Adj. See Recursive.
  6. On the other hand by Sentri · · Score: 4, Insightful

    FTA:

    "Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday."

    Lets read that again

    Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday.

    EX-EMPLOYEEE!
    What the hell was an ex employee doing on site, surfing porn. Forget computational security, what about physical security.

    In the words of Napoleon Dynamite "Freakin Idiot!"

    --
    Can't we all just get along
    1. Re:On the other hand by whitehatlurker · · Score: 4, Informative

      There is a switch in the story from employee to "ex". The employee was fired subsequent to the leak, but was "working" at the time of the download.

      --
      .. paranoid crackpot leftover from the days of Amiga.
  7. Another view, better tech quality by whitehatlurker · · Score: 4, Informative
    Here's a better version. The site did hassle me about where I lived for a bit, until I said I was a foreigner.


    Quote from this one: "We maybe had a false sense of security," O'Meara said.


    Whoa, maybe. Y'think?


    The Trojan horse gathered the equivalent of 7,000 text pages of data.
      Somewhere a scammer is very, very busy.

    --
    .. paranoid crackpot leftover from the days of Amiga.
  8. Oregon = Oregon Trail by Tickle+Cricket · · Score: 4, Funny
    You get a Trojan!
    You die of dysentary lol
  9. Welcome to the present... by Sparr0 · · Score: 4, Informative

    None of that information is secret. Your SSN, Address, and Name are all public information, the subject of numerous public records that anyone patient enough can pay $.10 per copy to get. Or just visit the appropriate county records website.

  10. Re:Cliché by afaik_ianal · · Score: 4, Funny

    It's just lucky this happened in Oregon, rather than Virgina.

    Now where's my +5, huh?

  11. Re:Cliché by kfg · · Score: 4, Funny

    If people from Troy, Oregon are called Trojans, how come people from Tampa, Florida aren't called Tampons?

    KFG

  12. No Lawyer Necessary - Only Patience. Here's How by Anonymous Coward · · Score: 5, Informative
    when information is leaked about your own private stuff, you should get a lawyer.

    A lawyer is unnecessary and expensive. It's easy to handle ID theft once you understand that the situation cannot be corrected immediately, that you shouldn't go ballistic, and that time and patience (and a few simple procedures) is all that's required to correct the situation:
    1. Write to the major credit bureaus and ask for a credit report from each. Explain that you're a victim of ID theft and they'll give you a free credit report.
    2. Ask the credit bureau to place a 7-year freeze on your credit report (not the 3-month freeze). That ensures that anyone who extends credit must contact you directly (usually by phone) prior to extending credit. Make sure the credit bureau has your phone number correct!
    3. If the ID theft resulted from something locally enforceable (stolen wallet, burglary), file an offense report with the local police and get a printed copy of the report.
    4. find any fraudulent/old accounts on your credit report. For old accounts, write to the address on the credit report informing the creditor and ask that the account be closed. For fraudulent accounts, notify the creditor of same and include a copy of the police report (above). For any fraudulent account _applications_, also notify the creditor that the application was fraudulent.
    5. In all cases, ask the creditor to notify the major credit bureaus of all updates/closure of accounts.
    6. Keep paper copies of all letters - use a separate paper file folder for each account or account application. Seems tedious, but you'll be glad you did, believe me.

    Above all, be patient, take your time (there's no rush, all changes are made at snail mail speed at best) and don't worry. Just go through the steps and everything can be corrected within about 180 days.

    After that, make sure you check your credit record with the major credit bureaus at least once a year. They'll send this for free. Follow the above steps whenever you see a fraudulent account or application. The Bad Guys won't be able to touch you.

  13. They don't have to care as long as others pay by quentin_quayle · · Score: 4, Insightful

    Is it just my perception or is this becoming routine now?

    I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"

    The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..

    Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.

    Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.